heroui logo

XDG-Open Command Execution

Elastic Detection Rules

View Source
Summary
This rule detects when the xdg-open utility is started on Linux hosts. It matches events where host.os.type == "linux", event.type == "start", and the action indicates execution (exec, exec_event, executed, process_started, ProcessRollup2). It triggers if the process name is xdg-open or its invocation arguments point to common xdg-open paths (e.g., /bin/xdg-open, /usr/bin/xdg-open, /usr/local/bin/xdg-open) or simply an xdg-open invocation in the command line. Since xdg-open opens files and URLs with the user’s desktop application, an attacker may abuse it to present a malicious document or URL to the user, leveraging user interaction to facilitate compromise. The rule aggregates signals from multiple data sources, including Elastic Endgame, Elastic Defend, CrowdStrike, SentinelOne Cloud Funnel, and Auditd Manager, to improve Linux endpoint coverage. It maps to MITRE ATT&CK technique T1204 (User Execution) with subtechniques Malicious Link, Malicious File, and Malicious Copy and Paste, aligning with common social engineering delivery paths. Severity is medium and timestamps rely on event.ingested. Note that legitimate uses of xdg-open exist; true positives can be refined by correlating with additional indicators such as target URL/file reputation, user context, and anomalous invocation patterns.
Categories
  • Endpoint
  • Linux
Data Sources
  • Process
  • Command
ATT&CK Techniques
  • T1204
  • T1204.001
  • T1204.002
  • T1204.004
Created: 2026-07-02